"Taunus. As high as you can go. Because the Taunus is full of high points – and offers so much at such a high level" that's the punchy slogan on the Taunus Tourism website. High points at a high level was certainly what visitors to the FIRM research conference and FIRM Offsite 2015 experienced at the Glashütten College in the Taunus region. On 11th and 12th June, respected academics and practitioners met to give those in attendance some expert insights into the issue of risk management. The venue – the College at an altitude of around 500 metres in the High Taunus – was the perfect choice. It provided the best outlook for inspirational and stimulating discussions, with a broad perspective on the world of risk management.
Current projects and interdisciplinarity
As in previous years, communication was at the heart of this year's research conference. Current research projects were presented and discussed, covering issues such as "Expected Loss over Lifetime", the influence of dual control on default rates in lending, and the procyclic nature of regulation. The diversity of presentations and discussions once again reflected the variety and interdisciplinary nature of the issues relating to risk management and regulation. Over two days, the 2015 Offsite and the research conference built numerous bridges between different disciplines and between academics and practitioners.
Sailing without a rudder
Theory and practice are two concepts that are frequently thought to have a somewhat contradictory relationship with one another, while in reality there is a rational relationship between them. Those who get caught up in practice without an academic basis are like sailors who board a ship without a rudder or compass, according to the Italian polymath Leonardo da Vinci. They can never be sure where they will end up. His conclusion is that practice should always be founded on good theory. The famous polymath was not just an academic, he was also a painter, a sculptor, an architect, an anatomist, a mechanic, an engineer and a natural philosopher.
These days it is common for theory and practice to be seen as opposites, with no appreciation of their mutual relationship. Against this backdrop, building bridges is even more important in moving from apparently "grey theory" into the "colourful world of practice".
Procyclic effects in capital regulation
Markus Behn (University of Bonn), Rainer Haselmann (University of Frankfurt) and Paul A. Wachtel (New York University) presented their research results on the procyclic nature of capital regulation and bank lending. Since the introduction of the Basel I guidelines back in 1988, one of the primary objectives of banking regulation has been for equity capital requirements to be much more closely linked to a bank's actual risk. This kind of regulation can have negative side-effects, as a bank's actual risk – and therefore the equity capital requirements for that bank – will tend to increase during a downturn. As a consequence, banks could offer less lending in a downturn. The academic study analyses the impacts of model-based equity capital regulation on lending in a recession.
It is the first study that has been able to directly quantify the effect of model-based equity capital regulation on bank lending and on companies' financing opportunities. The study shows a significant curtailing of lending after the collapse of the US investment bank Lehman Brothers in the autumn of 2008 as a result of procyclic regulation. The academics have been able to demonstrate that loans that use the model-based IRB approach, are reduced by 3.5 percent more than loans that use a traditional valuation method. The study shows a significant effect. Banks that acquire a higher proportion of their loans as (risk-sensitive) IRB loans record a sharper fall in total lending in a crisis. Summary: Micro-supervision of equity capital regulation can have considerable real effects on lending.
More eyes reduce risks
In his presentation, Tobias Berg, junior professor at the Institute for Financial Market Economics & Statistics at the Friedrich-Wilhelm University in Bonn, looked at the influence of the dual control principle on default rates in lending. He asserted that involving back-office control functions in lending decisions can reduce default rates by around 50 percent. The methodology presented also enables the efficiency of different banking processes to be compared as they are defined by clear and transparent boundaries. Examples include the dual control principle, loan committees and separation of private and business customers.
Expected Loss over Lifetime
Estimates of the expected loss over the entire term of a transaction are increasingly in demand, both in accounting and in regulatory law. Estimating the expected loss induced by credit risk is hugely relevant, particularly in terms of IFRS 9 (Phase 2 – Impairment), but also in areas such as loss-free valuation of bank portfolios under the German Commercial Code, multi-year capital requirement calculation and the current BA minimum requirements for risk management. In 2018, IFRS 9 will demand calculation of the expected losses over the entire lifetime of financial instruments. This contrasts with the current practice of a single analysis period, for example a day or a year. For example, in the future expected economic trends can be included when calculating the Lifetime Expected Loss. Neither the regulator nor the International Accounting Standards Board will stipulate specific methods for estimating the Lifetime Expected Loss for accounting purposes. They will merely define a general framework for the estimating process.
A paper published by Steffen Krüger, Toni Oehme and Daniel Rösch (University of Regensburg) describes a common estimating method for the (expected) loss and its components, in other words standard times, the term structure of the losses on default, and its dependency using copulas.
Influence of financial education on deposit interest rates
Florian Deuflhard from the University of Frankfurt gave a presentation that addressed the influence of financial education on deposit interest rates. The focus was on the following research question: Do the interest differences observed reflect only differences in product characteristics or can they also be explained by investor characteristics such as financial knowledge? Studies already published indicate that households with a high level of financial knowledge are better prepared for retirement, invest more frequently in shares and accumulate more assets. The results of the study are clear: Financial knowledge explains some of the interest differences. The impact channels primarily result from familiarity with modern technologies (online accounts) and product comparison between banks. According to the authors, this leads to far from trivial welfare losses for the majority of households.
Managing a global bank
In his presentation, Wilfried H. Paus, Global Head of Risk Analytics & Living Wills at Deutsche Bank AG, addressed the challenges in the industry caused by a difficult economic environment and fundamental reforms. The issues Paus cited include EMIR, MiFID, CRR/CRD IV, BRRD, APAC and OTC regimes. The trend is clear. There has been a huge increase in the complexity of regulation. In this context, there is currently an evolution taking place in risk management resulting from all the regulation. Wilfried H. Paus sees three main trends: 1. More regulatory stress tests, 2. Reduction in RWA volatility through "RWA floors", and 3. Subsidiarisation, in other words the growing demand for local risk management and reporting.
Good and responsible corporate management
Klaus-Peter Müller, supervisory board chairman at Commerzbank AG and, from 1990 to 2008, a member of the Commerzbank AG board, gave a talk about the topical issue of "Corporate Governance and Management of Compliance Risks". Compliance is generally understood to mean adherence and conformity to a set of rules. This includes meeting legal requirements, as well as voluntary internal codices. Müller argued that commercial activity cannot just pursue individual interests, but must take into account the impact on public welfare in addition to the interests of the relevant company.
A company can only be economically successful in the long term if it recognises public welfare and the prevailing values and attitudes in society and consciously bases its behaviour on them. His conclusion is that adherence to the principles of good and responsible business management represents a location factor that should not be underestimated in a competitive global market and can strengthen a business location.
Global risk issues in the financial industry
According to Finja Carolin Kütz, a partner at Oliver Wyman in Munich, the map of risk issues is more crowded than ever before. Stress testing, SREP, ILAAP, RWA review, governance, BCBS 239 and cyber risks are just some of the important themes in this context. The trend is clear. Requirements and supervisory practice are constantly becoming more granular, data-based and holistic. However, it is also a fact that – regardless of any regulatory considerations – risk management has become more complex in recent years.
Growing significance of compliance risks
In her presentation, Joyce Clark, Principal at McKinsey & Company in Düsseldorf, argued that the financial crisis has shown that corporate cultures based on integration of governance, risk management and control mechanisms are essential to firmly establish compliance and are the foundation of successful business models. In recent years, the fines imposed on companies whose control mechanisms have failed have risen to dizzying heights. The banking sector has been particularly hard hit. The fines for the ten banks held most accountable add up to almost 100 billion US $. It is particularly important to stress that managers are increasingly frequently being held personally responsible for any misconduct. Her summary: Companies who invest vast sums in additional controls, barriers and audits as they strive to "do everything right" are very often throwing their money away. Really successful companies concentrate on "doing the right things". They establish an intelligent network of governance, control mechanisms and risk management, which gives their managers the necessary security and are starting to make compliance a fixed component of their service commitment.
The aim must be for companies to be able to significantly increase the effectiveness of their governance and control mechanisms by adopting an integrated approach to compliance. This is linked to a reduction in the risk of fines and prison sentences, as well as reducing the strain caused by excessive bureaucratic audits and controls. In short, they give companies back the freedom to concentrate on essential activities – namely their core business.
Three lines of defence
The idea that risks can be most effectively identified and managed at the place they occur is neither new nor innovative. In business practice, there is a common mistaken view of risk managers as "managers of risks". Preventive risk management, which is more than retrospective risk accounting, must be integrated and practiced as a decentralised function in a company's operational units.
A combination of the financial crisis and various corporate scandals have led to the realisation that corporate governance has to be modified and, in particular, new control mechanisms need to be introduced to identify risks earlier. In this context, the so-called "Three Lines of Defence" model (TLoD for short) is an effective control and monitoring system that has been introduced in numerous companies. The "first line of defence" is made up of the operational units, in other words the risk owners. They are responsible for achieving a healthy balance between risks and opportunities, and between risks and risk bearing capacity, in their area. The "second line of defence" is where operational controls are implemented. This is mainly the province of the company's risk management, corporate security, compliance and IT security departments. They act as a kind of "inhouse consultant" and provide tools and processes for the operational units. They also exert an influence on risk policy and propose the necessary controls for consideration of processes subject to risk.
In addition, they are the communication channel to senior management, collate all business risks (and opportunities) to obtain an overall picture, and support senior management in implementing a corporate management system focused on opportunities and risks – and therefore on value. The "third line of defence" represents another independent organisational unit that supports the executive and supervisory boards in final monitoring and management of existing and potential risks. In practice, this is normally internal auditing, which monitors and supports the subordinate lines of defence.
The underestimated risk
The full scale of the losses resulting from the cyber attack at the German parliament has been revealed in recent weeks. Experts at the Federal Office for Information Security now consider it unlikely that the network can be salvaged after the attacks. In his presentation, Rolf Riemenschnitter, Chief Information Security Officer (CISO) at Deutsche Bank, argued that cyber risk will become the key risk, both for companies and for all of us as private individuals. And we ourselves are the biggest risk. A few months ago, it came to light that according to the FBI a hacker from the USA managed to hack into the on-board electronics of various Airbus and Boeing aircraft on several occasions. Various media outlets are reporting that the hacker was even able to gain control of the thrust of an aircraft. He was able to control the turbines from the cabin using a "climb" command.
In June 2014, experts from Kaspersky Lab reported an attack on customers of a major European bank. The attack – which became known by the name "Luuuk"– was based on a "Man in the Browser" (MITB) method. By accessing the login data for online banking, the cyber criminals debited between 1,700 and 39,000 EUR from the compromised accounts. Kaspersky Lab's IT security forecasts for 2015 predict that there will be a further increase in attacks on cash machines. APT (Advanced Persistent Threat) techniques could be used, aimed at the heart of cash machines. Attackers could also compromise bank networks, enabling them to manipulate cash machines in real time. How vague and fragile everything is in times like these is shown by the fact that the experts from Kaspersky Lab have recently been the target of a cyber attack themselves.
All of this leads Rolf Riemenschnitter to conclude that there is no such thing as one hundred percent security. However, prevention can avert a large number of scenarios. The key to doing this is risk culture. According to information from the Federal Bureau of Investigation (FBI), the central security organisation in the USA, 80 percent of cyber risks could be prevented if system administrators had installed patches. Independent studies reveal that more than a third of IT risks are caused by negligence or human error. The consequence of this is that training and awareness of appropriate information security are a key element of IT risk management.
Rolf Riemenschnitter indicated that traditional IT security methods are unable to provide effective protection for Deutsche Bank's business. Against this backdrop, Deutsche Bank has established the role of Chief Information Security Officer (CISO) as a second line of defence. The CISO's responsibilities include defining and implementing the vision and strategy in the area of information security. In addition, his duties include development, implementation and maintenance of IT security processes throughout the organisation. This includes creation of appropriate standards and controls, and drawing up and implementing guidelines.
Studies confirm a clear trend. For the fourth time, the insurance company Allianz has analysed which risks are threatening companies worldwide. Based on information from 516 risk managers, they produced the "Allianz Risk Barometer – The 10 biggest business risks 2015". For 2015, cyber crime is in fifth place. As a comparison, last year risks such as IT failures, espionage and data misuse were in 12th place, and 15th place in 2013.
Risk remains risky
The FIRM Offsite and the FIRM research conference 2015 unfolded banks' risk map for the third year in succession. On the one hand, it was clear that in an increasingly complex and volatile market environment it will be increasingly difficult to preventively identify the relationships and possible impacts of relevant risks. Cyber risk must be mentioned as one of the key issues. On the other hand, the discussions at the Glashütten College confirmed the fact that it is increasingly important for risk management to be integrated into a bank's overall strategy. Risks are the basis of the banking business. What dealing with them responsibly means for us is prudently weighing up the expected added value against possible downside risks. Optimum management of risks as a core element of the banking business calls for a clear head, a good overview and far-sightedness. FIRM repeatedly offers the best conditions to achieve this – not just in its choice of conference venue in the High Taunus.
Frank Romeike, Managing Partner of RiskNET GmbH, board member of the Society of Risk Management and Regulation and editor in chief of RISIKO MANAGER magazine.